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REMARKS 

The Applicant and the undersigned thank Examiner Nalven for his careful review of this 
application and especially for his time and consideration given during the telephonic interview of 
September 12, 2005. A summary of this telephonic interview is provided below. 

Claims 1-57 have been rejected by the Examiner. Upon entry of this amendment, Claims 
2, 5, 15, 41, and 51 have been cancelled while Claims 1, 3-4, 6-14, 16-40, 42-50, and 52-57 
remain pending in this application. The independent claims are Claims 1, 14, 25, 37, 50, and 56. 

Consideration of the present application is respectfully requested in light of the above 
claim amendments to the application, the telephonic interview, and in view of the following 
remarks. 

Summary of Telephonic Interview of September 12, 2005 

The Applicant and the undersigned thank Examiner Nalven for his time and consideration 
given during the telephonic interview of September 12, 2005. During this telephonic interview, 
a proposed amendment to the claims was discussed. The Applicant provided the proposed 
amendment to the claims in advance of the interview. 

The Applicant's representative explained that the invention as recited in the amended 
independent claims evaluates contextual information related to a data signature by comparing the 
contextual information and data signature to a table that comprises contextual information, data 
signatures, and alert condition values. The invention then assigns an alert condition value based 
on the comparison of the contextual information and data signature to data in the table. 

Meanwhile, the prior art, such as U.S. Patent No. 6,301,668 issued in the name of 
Gleichauf et al. (hereinafter, the "Gleichauf reference") does not look for data signatures or for 
any context of data signatures as recited in the amended independent claims. Examiner Nalven 
acknowledged these deficiencies of the Gleichauf reference in his Final Office Action of May 
13, 2005 and to overcome them, the Examiner relied upon U.S. Patent No. 6,279,113 issued in 
the name of Vaidya (hereinafter the "Vaidya reference). 

However, the Vaidya reference as well as the Gleichauf reference do not provide any 
teaching of a table that comprises contextual information, data signatures, and alert condition 
values. Further, both the Vaidya reference and Gleichauf reference also do not provide any 
teaching of comparing the contextual information and data signature with the table and assigning 
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an alert condition value based on the comparison of the contextual information and data 
signature to data in the table. 

After listening to the Applicant's representative's discussion of the amended claims, 
Examiner Nalven stated that these amendments would be considered when a formal response is 
submitted. Examiner Nalven believed that these amendments would likely overcome the prior 
art of record but he indicated that an update search would be conducted. 

The Applicant and the undersigned request Examiner Nalven to review this interview 
summary and to approve it by writing "Interview Record OK" along with his initials and the date 
next to this summary in the margin as discussed in MPEP § 713.04, p. 700-202. 

Claim Rejections Under 35 U.S.C. 88 102 and 103 

The Examiner rejected Claims 1, 3-4, 6, 14, 18-21, 25-26, 32, 34, 37-40, 42, 50, and 54- 
56 are rejected under 35 U.S.C. § 103(a) as being unpatentable over the Gleichauf reference in 
view of the Vaidya reference. The Examiner rejected Claims 7-8, 10-12, 22, 27, 29-31, 43-44, 
46-48, and 57 under 35 U.S.C. § 103(a) as being unpatentable over the Gleichauf reference in 
view of the Vaidya reference and further in view of U.S. Pat. No. 5,991,881 issued in the name 
of Conklin et al. (hereinafter, the "Conklin reference")- 

The Examiner rejected Claims 9, 23, and 45 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf reference, the Vaidya reference, the Conklin reference, and 
fbrther in view of U.S. Patent Application Publication No. 2002/0083331, published in the name 
of Krumel (hereinafter, the "Krumel reference"). The Examiner rejected Claims 13 and 49 under 
35 U.S.C. § 103(a) as being unpatentable over the Gleichauf reference, the Vaidya reference, the 
Conklin reference, and further in view of a Printed Publication entitled, "Detecting Backdoors," 
authored by Zhang et al. (hereinafter, the "Zhang reference"). 

The Examiner rejected Claims 16, 35, and 52 under 35 U.S.C. § 103(a) as being 
unpatentable over the Gleichauf reference, the Vaidya reference, and further in view of U.S. 
Patent No. 6,301,668 issued in the name of Ji et al. (hereinafter, the "Ji reference"). The 
Examiner rejected Claims 17 and 53 under 35 U.S.C § 103(a) as being unpatentable over the 
Gleichauf reference, the Vaidya reference, the Ji reference, and fbrther in view of a Printed 
Publication entitled, "Security Reality Check," authored by Farrow (hereinafter, the Harrow 
reference"). 
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The Examiner rejected Claim 24 under 35 U.S.C. § 103(a) as being unpatentable over the 
Gieichauf reference, the Vaidya reference, the Conklin reference, the Krumel reference, and 
further in view of the Zhang reference. The Examiner rejected Claim 28 under 35 U.S.C. 
§ 103(a) as being unpatentable over the Gieichauf reference, the Vaidya reference, the Conklin 
reference, and further in view of the U.S. Patent No. 6,275,942 issued in the name of Bernhard et 
al (hereinafter, the "Bernhard reference"). The Examiner rejected Claims 33 and 36 under 35 
U.S.C, § 103(a) as being unpatentable over the Gieichauf reference in view of the Vaidya and 
Krumel references. 

The Applicant respectfully offers remarks to traverse these pending rejections. Hie 
Applicant will address each independent claim separately as the Applicant believes that each 
independent claim is separately patentable over the prior art of record. 

Independent Claim 1 

The rejection of Claim 1 is respectfully traversed. It is respectfully submitted that the 
Gieichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fell to describe, teach, or suggest the combination of: (1) creating a table 
comprising (2) contextual information, (3) data signatures, and (4) alert condition values; (5) 
detecting a data signature by evaluating communications at an application layer level between a 
target and a suspect; (6) correlating said data signature with an application layer fingerprint of 
the target to determine to what extent said target is vulnerable to said data signature; (7) 
evaluating contextual information related to the data signature by (8) comparing the contextual 
information and the data signature to the table in order to determine a likelihood that said target 
is under attack, (9) the contextual information comprising at least one of (9a) an application layer 
data field type used to encapsulate the data signature and (9b) an application layer protocol type 
used to transmit the data signature; and (10) assigning an alert condition value to the data 
signature based on the comparison of the contextual information and data signature to data in the 
table, as recited in amended independent Claim 1 . 

The_Gleichauf Reference 

The Gieichauf reference generally describes a system for adaptive network security using 
network vulnerability assessment The network environment can comprise devices that form an 
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internal network, protection for the internal network, and an external network. The internal 
network, indicated generally at 10, can comprise a plurality of workstations 12 coupled to a 
network backbone 14. Network backbone 14 can comprise, for example, an Ethernet, FDDI, 
token ring, or other type of network backbone. Protection for internal network 10 can be 
provided by firewall 16 and a router 18 which axe coupled to network backbone 14- Router 18 
serves as a gateway between internal network 10 and an external network 30. External network 
30 can be, for example, the Internet or other public network. Firewall 16 can serve to limit 
external access to resources in internal network 10 and protect these internal resources from 
unauthorized use, See Figure 2 of the Gleichauf reference reproduced below, and in column 4, 
lines 40-58. 



oursioe 




FfG. 2 



Internal network 10 of the Gleichauf reference ftirther comprises a network security 
system 20 coupled to network backbone 14. The network security system 20 can include a scan 
engine 22 and a protocol engine 24 coupled to network backbone 14. A signature engine 26 is 
coupled to protocol engine 24. The scan engine 22 is further coupled to network map 28. The 
signature engine 26 is coupled to attack signatures 30. A priority engine 32 is coupled to 
network map 28, protocol engine 24 and signature engine 26. The protocol engine 24 and 
signature engine 26 are each also coupled to a storage 36. See the Gleichauf reference, column 
4, lines 58-68. 
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The Gleichauf reference explains that the protocol engine 24 performs a plurality of 
protocol analyses upon monitored traffic on network backbone 14 in order to detect attacks upon 
the network. Attacks upon the network include unauthorized accesses, policy violations, and 
patterns of misuse. The protocol engine 24 can perform the following protocol analyses upon 
monitored traffic on network backbone 14: checksum verification (IP, TCP, UDP, ICMP, etc.), 
IP fragment reassembly, TCP stream reassembly, protocol verification (such as insuring the IP 
header length is correct and the TCP data gram is not truncated), and timeout calculations. See 
the Gleichauf reference, column 6, lines 24-37, 

The signature engine 26 of the Gleichauf reference is coupled to protocol engine 24 and 
can perform further analysis tasks in order to detect attacks upon network backbone 14. 
Signature engine 26 compares monitored traffic with attack signatures 30. Attack signatures 30 
can comprise, for example, a rules-based hierarchy of traffic signatures of known policy 
violations. Signature engine 26 can compare packets from the network traffic with such attack 
signatures 30 such that policy violations can be discovered. See the Gleichauf reference, column 
6, lines 38-45. 

The Gleichauf Reference Does Not Use Contextual Information 

Opposite to the protocol engine 24 and signature engine 26 of the Gleichauf reference, 
the invention described by amended independent Claim 1 monitors communications at an 
applications layer instead of the network and transport layers. Further, the invention as recited in 
amended independent Claim 1 evaluates data signatures in combination with contextual 
information related to data signatures. The contextual information can comprise at least one of 
an application layer data field type used to encapsulate the data signature and an application 
layer protocol type used to transmit the data signature. 

The Gleichauf reference evaluates protocols separately from its data signatures. That is, 
the Gleichauf reference uses a protocol engine 24 to evaluate protocol information separately 
from a signature engine 26« The Gleichauf signature engine 26 only monitors network level 
communications traffic for text that matches certain signatures. 

Additionally, the Gleichauf reference also does not provide any teaching of a table that 
comprises contextual information, data signatures, and alert condition values. The Gleichauf 
reference also does not provide any teaching of comparing the contextual information and data 
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signature with the table and assigning an alert condition value based on the comparison of the 
contextual information and data signature to data in the table. 



The Vaidva Reference 

The Examiner admits that the Gleichauf signature engine 26 only monitors network level 
communications traffic for text that matches certain signatures and that the Gleichauf reference 
does not use contextual information. To make up for these deficiencies, the Examiner relies 
upon the Vaidya reference. See Column 4, lines 27-31 of the Vaidya reference that describes 
how this system monitors communications for security at all seven layers. 

The Vaidya reference also describes how data transmitted over the network is monitored 
by a data monitoring device using data collectors (10) to detect data addressed to the network 
objects located in segments (14, 16, 18). Upon detecting data addressed to one of the network 
objects, a set of signature profiles corresponding to that network object of a segment (14, 16, 18) 
is accessed from the signature profile memory (39) of a data collector (10) based on the 
association data. At least one attack signature profile from the set of profiles is processed by the 
processor (36) to determine if the data addressed to the network object of a particular segment 
(14, 16, 18) is associated with a network intrusion. See column 3, lines 40-47 of the Vaidya 
reference; see also Figure 1 of the Vaidya reference below that describes the overall system that 
includes data collectors (10) and network objects (14, 16, 18). 
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In a preferred embodiment, each data collector (10) includes a data monitoring device, an 
attack signature profile memory (39), and a processor (36), Data collectors (10) are deployed at 
multiple sites in different segments (14, 16, 18) of the network. A network configuration 
generator (28) assigns sets of attack signature profiles to each data collector (10) based on the 
network objects located on the network segment (14, 16, 18) on which each data collector (10) is 
deployed. A particular data collector (10) monitors network data only for data addressed to the 
network objects located on that data collector's network segment (14, 16, 18). See Vaidya 
reference, column 3, lines 48-60. 
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By distributing the network monitoring responsibilities among multiple data collectors 
(10), high performance of the dynamic signature-based network IDS is maintained. Instead of a 
single data collector (10) monitoring the entire network data for network intrusion attempts, each 
data collector (10) only monitors a network segment (14, 16, 18) on which it is located or a point 
of entry from an open network, such as the Internet- See column 3, lines 48-65 of the Vaidya 
reference; see also Figure 2 of the Vaidya reference that illustrates further details of the central 
data repository (12) and each data collector (10). See Vaidya reference, column 3, lines 60-64. 

The Vaidya reference, like the Gleichauf reference, does not provide any teaching of a 
table that comprises contextual information, data signatures, and alert condition values. Further, 
the Vaidya reference also does not provide any teaching of comparing the contextual information 
and data signature with the table and assigning an alert condition value based on the comparison 
of the contextual information and data signature to data in the table. 
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The Conklin Reference 

The Examiner admits that the Gleichauf reference fails to teach listening for a response to 
a data signature from a target. To make up for this deficiency, the Examiner relies upon the 
Conklin reference. 

The Conklin reference describes systematic monitoring, intrusion identification, 
notification, and tracking of unauthorized activities, such as methods or systems used by 
"hackers" to intrude computer networks. The Conklin reference teaches a star configuration of 
two Ethernet network segments 'B' and C C and a terminal network connection leading to a 
network surveillance device for a computer network as illustrated in Figure 2. The system of the 
Conklin reference broadcasts communications between any two computers on an Ethernet 
segment that is monitored by an out-of-line surveillance device. See Conklin reference, column 
2, lines 58-66. 
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The Conklin reference explains that its intrusion detection may incorporate algorithms or 
patterns to detect attempted intrusions or intrusions on the network. As each packet of network 
data is passed from the network observation function, the intrusion detection function examines 
the data in comparison to a series of predefined or learned patterns which are pre-stored or 
developed from data received from the network. 

In the Conklin reference, the network data is compared to a database of known patterns. 
If the collected data matches the databases stored data, individually or collectively, then the 
network surveillance system identifies the network data as a reportable activity and the network 
surveillance system components are activated and a data channel is opened between the network 
observation function and the evidence logging function. 

Similar to the Gleichauf reference, the Conklin reference does not provide any teaching 
of evaluating data signatures at an applications layer in combination with contextual information 
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related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Conklin reference, like the Gieichauf 
reference, only evaluates data signatures alone without any context. The Conklin reference also 
does not provide any teaching of comparing contextual information and a data signature with a 
table and assigning an alert condition value based on the comparison of the contextual 
information and data signature to data in the table. 

The Krumel Reference 

The Examiner admits that the Gieichauf reference fails to teach determining if a packet is 
an unknown command. To make up for this deficiency, the Examiner relies upon the Krumel 
reference. 

The Krumel reference has a data protection system 1 that is coupled through a port to 
router 2 (or cable modem or other preferably broadband, persistent network connection access 
device), which is linked through a broadband connection to other computer systems and 
networks, exemplified by Internet 8 and Internet Service Provider (ISP) 10. Packets of data are 
transmitted from an ISP, such as ISP 10, via Internet 8 to router 2. The packets are transmitted to 
data protection system 1, which analyzes the packets in "real time" and without buffering of the 
packets, while at the same time beginning the process of transmitting the packet to the internal 
network(s) in compliance with the timing requirements imposed by the Ethernet or other network 
standards and protocols. See Figure 1 of the Krumel reference reproduced below. 



If a packet of data in the Krumel system satisfies title criteria of the rules-based filtering 
performed within data protection system 1, which is executed in a manner to be completed by the 

-22- 
PAGE 28/39 • RCVDAT 9/13/2005 6:00:00 PM [Eastern Daylight Time] % SMPT0-EFM5 ! DWSOTOO 1 C$ID:M4 572 5145 ' DURATION (mnvs$):15-24 




SEP 13 2005 18:13 FR KING AND SPALDING 404 572 5145 TO 555 1 «05456tt 1 0503 P 

Application Serial No. 09/874,574 

time the entire packet has been received by data protection system 1, then it is allowed to pass to 
hub 6 as a valid packet, which may then relay the cleared packet to computers 4a, 4b, 4c, etc. on 
the internal network. If a packet of data fails to meet the filtering criteria, then it is not allowed 
to pass as a valid packet and is "junked." Without the intermediate positioning of data protection 
system 1, the packets would be transmitted directly to unprotected hub 6, thereby exposing 
computers 4a, 4b and 4c to security risks. Similar filtering is performed on packets that are to be 
transmitted from computers 4a, 4b, and 4c to Internet 8. See the Krumel reference, page 4, 
paragraphs [0067-0068]. 

The Krumel reference explains how TCP (transmission control protocol) and UDP (user 
datagram protocol) packets are evaluated in parallel where TCP and UDP are host-to-host 
protocols located in the transport layer of the protocol stack. See Krumel reference, page 8, 
paragraph [0092]. 

Meanwhile, opposite to the Krumel reference, the invention as recited in amended 
independent Claim 1 evaluates data signatures at an a pplications layer in combination with 
contextual information related to data signatures, where the contextual information can comprise 
at least one of an application layer data field type used to encapsulate the data signature and an 
application layer protocol type used to transmit the data signature. The Krumel reference, like 
the Gleichauf reference, only evaluates data signatures alone without any context and without 
using a table comprising contextual information. 

The Zhang Reference 

The Examiner admits that the Gleichauf and Conklin references fail to teach suspicious 
behavior comprising the transmitting of a root shell prompt to a suspect node. To make up for 
this deficiency, the Examiner relies upon the Zhang reference. 

The Zhang reference generally describes protocol specific algorithms that look for 
signatures particular based on different protocols. Specifically, the Zhang reference describes 
algorithms that find backdoors" in a flood of legitimate network traffic. See Section 6. - 
Summary of the Zhang reference. 

The Zhang reference does not provide any teaching of evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures, where 
the contextual information can comprise at least one of an application layer data field type used 
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to encapsulate the data signature and an application layer protocol type used to transmit the data 
signature. The Zhang reference, like the Gleichauf reference, only evaluates data signatures 
alone without any context. 

The Applicant also notes that the Zhang reference may not constitute enabling prior art 
because of its high-level description or lack of enabling detail for its algorithms. But even if the 
Zhang reference was enabling prior art, it still would not teach evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures 
contained in a table as recited in amended independent Claim 1 . 

The Ji frqfoence 

The Examiner admits that the Gleichauf reference fails to teach a protocol comprising 
HTTP protocol. To make up for this deficiency, the Examiner relies upon the Ji reference. 

The Ji reference describes a corporate environment 202 that includes a host computer 204 
and host computer 206, which are connected to a proxy server 208, representing in this example 
an HTTP proxy server that is interposed between the distributed computer network 1 12 (such as 
the internet) and the host computers of corporate environment 202. The host computer 204 
represents any computer that is capable of requesting and receiving data transfers from 
distributed computer network 1 12 and may be implemented using any of the suitable operating 
systems such as Windows. See Figure 2 of the Ji reference reproduced below. 
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The host computer 204 of the Ji system may access distributed computer network 1 12 via 
a commercial browser such as Internet Explorer by Microsoft Corporation. The browser 210 
within host computer 204 is set to request an auto-config script, i.e., a set of codes that 
automatically starts upon the occurrence of some predefined event, from proxy server 208 when 
browser 210 is started up. See the Ji reference, column 5, lines 2 1 -56. 

With the auto-config script, a distributed virus scanning module or engine at each host 
computer 204 is preferably created and/or updated each time a new browser threat is activated 
and/or an initial HTTP request is issued therefrom. The distributed virus scan engine at each 
host computer 204 can be created from codes/data centrally maintained at one or more servers. 
Hie distributed virus scan engine preferably employs the information contained in virus 
definition files maintained at one or more servers on the LAN in order to perform its own virus 
scan at its host computer. In this manner, the advantages associated with centrally managed 
virus scanning solutions (e.g., ease of maintenance and updates as there are fewer servers 
involved) are achieved while the disadvantages (e.g., periodic manual updating and maintenance 
at each host computer) are avoided. See the Ji reference, column 5, lines 5-20. 

The Ji reference, like the Gleichauf reference, does not provide any teaching of 
evaluating data signatures at an applications layer in combination with contextual information 
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related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Ji reference, like the Gleichauf reference, 
only evaluates data signatures alone without any context and without using a table comprising 
contextual information. 

The Farrow Reference 

The Examiner admits that the Gleichauf and Ji references fail to teach detecting a data 
signature of "cgi-bin/phf.*' To make up for this deficiency, the Examiner relies upon the Farrow 
reference. 

The Farrow reference is a product review article that describes various intrusion detection 
systems that were available in July 1999. The Farrow reference mentions the "cgi-bin/phf 5 
string in a section of the article that addresses stealth attacks. The authors of the article tested 
several IDS products with this string. 

The Farrow reference, like the Gleichauf reference, does not provide any teaching of 
evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures, where the contextual information can comprise at least one of an 
application layer data field type used to encapsulate the data signature and an application layer 
protocol type used to transmit the data signature. The Farrow reference, like the Gleichauf 
reference, only evaluates data signatures alone without any context and without a table 
comprising contextual information. 

The Applicant also notes that the Farrow reference may not constitute enabling prior art 
because of its high-level description of products in the market during July 1999. But even if the 
Farrow reference was enabling prior art, it still would not teach evaluating data signatures at an 
applications layer in combination with contextual information related to data signatures in a table 
as recited in amended independent Claim 1 . 

The Bernhard Reference 

The Examiner admits that the Gleichauf and Conklin references fail to teach the data 
signature being a passwd in a context where filenames are likely to appear To make up for this 
deficiency, the Examiner relies upon the Bernhard reference. 
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The Bemhard reference describes a computer network 100 that includes a second line 
firewall 106 connected to a LAN server 112. The computer network 100 also includes a third 
firewall 108, a Kerberos server 110, an intranet Web server 114, a plurality of data processing 
systems (i.e., workstations) H6a-n, and an Internet Web server 118. All of these network 
elements connected to LAN 101 are monitored for computer misuse using an intrusion detection 
system (IDS) software 120. See Figure I of the Bemhard reference blow. 
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The IDS software 120 of the Bemhard reference may reside and be centrally configured 
and monitored from a sysadmin workstation 122. The IDS software 120, as indicated in FIG. 1, 
may also reside on one or more of the network elements (e.g., data processing systems 116) as 
well as at various points within the LAN 101 between network elements (thereby acting as 
network-level detectors). The IDS software 120 may operate on any number of principles, such 
as the one specified in U.S. Pat. No. 5,557,742 issued to Smaha et al. The ARMs of the 
Bemhard reference operate with the particular misuse engine of the IDS software 120 selected 
and installed by the sysadmin of the computer network 100 in a "plug and play" manner. In 
other words, the ARMs reside in the IDS software 120. See the Bemhard reference, column 5, 
lines 1-25 

The Bemhard reference explains that its product provides for automatic response to 
computer system misuse using active response modules (ARMs). The Bemhard reference 
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describes steps of defining a plurality of ARMs to process instances of computer misuse, 
receiving an instance of misuse from an intrusion detection system (the instance of the misuse 
having been detected by the misuse engine) and identifying ARMs associated with and activated 
for the detected computer misuse. The method then, for each of the identified ARMs, collects 
pertinent data from the misuse engine and invokes each of the identified ARMs with the 
pertinent data. See the Bernhard reference, column 4, lines 26-39. 

As noted above, the Bernhard reference describes what actions are taken after a security 
event is detected. The Bernhard reference does not relate or describe how security events are 
detected as evidenced above by the admission that the IDS software 120 may operate on any 
number of principles, such as the one specified in US. Pat. No. 5,557,742 issued to Smaha et al. 
It follows that the Bernard reference, like the Gleichauf reference, does not provide any teaching 
of evaluating data signatures at an applications layer in combination with contextual information 
related to data signatures that are contained in a table, where the contextual information can 
comprise at least one of an application layer data field type used to encapsulate the data signature 
and an application layer protocol type used to transmit the data signature. 

Conclusion Regarding Independent Claim 1 

In light of the differences between Claim 1 and the Gleichauf, Vaidya, Conklin, Krumel, 
Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in the art 
recognizes that the combination proposed by the Examiner cannot anticipate nor render obvious 
the recitations as set forth in amended independent Claim 1. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 1 are respectfully requested. 

Independent Claim 14 

The rejection of Claim 14 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fail to describe, teach, or suggest the combination of: (1) creating a table 
comprising data signatures provided in context; (2) identifying a data signature encapsulated in 
an application layer data field and directed at a target using an application layer protocol; (3) 
: * evaluating a context of the data signature by one of: (3a) reviewing the application layer data 

field type; (3b) reviewing the application layer protocol type; and (3c) comparing the evaluated 
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context of the data signature to the table; (4) determining whether said data signature poses a 
threat based on said context of said data signature; and (5) assigning an alert condition to the data 
signature based on the comparison of the context to data in the table, as recited in amended 
independent Claim 14, 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 14. 

In light of the differences between Claim 14 and the Gleichauf, Vaidya, Conklin, Krumel, 
Zhang, Ji, Farrow, and Bemhaid references mentioned above, one of ordinary skill in the art 
recognizes that the combination proposed by the Examiner cannot anticipate or render obvious 
the recitations as set forth in amended independent Claim 14. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 14 are respectfully requested. 

Independent Claim 25 

The rejection of Claim 25 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fail to describe, teach, or suggest the combination of: (1) creating a table 
comprising (2) contextual information, (3) data signatures, and (4) relative alert condition values; 
(5) monitoring a plurality of data transmissions at an applications layer level between a suspect 
and a target to identify one or more data signatures, (6) said data transmissions indicating a 
current state of communication between said suspect and said target; (7) evaluating contextual 
information related to each data signature by comparing the contextual information and data 
signatures to the table, (8) the contextual information comprising at least one of (8a) an 
application layer data field type used to encapsulate a respective data signature and (8b) an 
application layer protocol type used to transmit a respective data signature; (9) evaluating a 
likelihood that said target is under attack based on the contextual information of one or more data 
signatures of said transmissions and said current state of communication; and (10) assigning a 
relative alert condition value to the data signature based on the comparison of the contextual 
information to data in the table, as recited in amended independent Claim 25. 
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Similar to the Examiner's analysis of independent Claim 1, the Examiner's proposed 
combination of references fails to address the specifics of evaluating a context of a data signature 
by comparing the data signature to a table comprising contextual information, as recited in 
amended independent Claim 25. 

In light of the differences between Claim 25 and the Gleichauf, Vaidya, Conklin, Krumel, 
Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in the art 
recognizes that the combination proposed by the Examiner cannot anticipate or render obvious 
the recitations as set forth in amended independent Claim 25. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 25 are respectfully requested. 

Independent Claim 37 

The rejection of Claim 37 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fail to describe, teach, or suggest the combination of: (1) creating a table 
comprising (2) contextual information, (3) data signatures, and (4) relative alert condition values; 
(5) detecting a data signature by evaluating communications at an application layer level 
between a target and a suspect; (6) correlating said data signature with a fingerprint of the target 
to determine to what extent said target is vulnerable to said data signature; and (7) evaluating 
contextual information related to the data signature by comparing the contextual information and 
the data signature to the table in order to determine a likelihood that said target is under attack, 
(8) the contextual information comprising at least one of an (8a) application layer data field type 
used to encapsulate the data signature and an (8b) application layer protocol type used to 
transmit the data signature; and (9) assigning an alert condition value to the data signature based 
on the comparison of the contextual information and data signature to data in the table, as recited 
in amended independent Claim 37. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 37. 

' In light of the differences between Claim 37 and the Gleichauf, Vaidya, Conklin, Krumel, 

Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in the art 
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recognizes that the combination proposed by the Examiner cannot anticipate or render obvious 
the recitations as set forth in amended independent Claim 37. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 37 are respectfully requested. 

Independent Claim 50 

The rejection of Claim 50 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fail to describe, teach, or suggest the combination of: (1) creating a table 
comprising data signatures provided in context; (2) identifying a data signature encapsulated in 
an application layer data field directed at a target using an application layer protocol; (3) 
evaluating a context of the data signature by one of: (3a) reviewing the application layer data 
field type; (3b) reviewing the application layer protocol type; and (3b) comparing the evaluated 
context of the data signature to the table; (4) determining whether said data signature poses a 
threat based on said context of said data signature; and (5) assigning an alert condition to the data 
signature based on the comparison of the context to data in the table, as recited in amended 
independent Claim 50. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 50. 

In light of the differences between Claim 50 and the Gleichauf, Vaidya, Conklin, Krumel, 
Zhang, Ji, Farrow, and Bernhard references mentioned above, one of ordinary skill in the art 
recognizes that the combination proposed by the Examiner cannot anticipate or render obvious 
the recitations as set forth in amended independent Claim 50. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 50 are respectfully requested. 

Independent Claim 56 

The rejection of Claim 56 is respectfully traversed. It is respectfully submitted that the 
Gleichauf, Vaidya, Conklin, Krumel, Zhang, Ji, Farrow, and Bernhard references, individually or 
in view of each other, fail to describe, teach, or suggest the combination of: (1) creating a table 
comprising (2) contextual information, (3) data signatures, and (4) relative alert condition values; 
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(5) monitoring a plurality of data transmissions at an applications layer level between a suspect 
and a target to identify one or more data signatures, (6) said data transmissions indicating a 
current state of communication between said suspect and said target; (7) evaluating contextual 
information related to each data signature by comparing the contextual information and data 
signatures to the table, (8) the contextual information comprising at least one of (8a) an 
application layer data field type used to encapsulate a respective data signature and (8b) an 
application layer protocol type used to transmit a respective data signature; (9) evaluating a 
likelihood that said target is under attack based on the contextual information of one or more data 
signatures of said transmissions and said current state of communication; and (10) assigning a 
relative alert condition value to the data signature based on the comparison of the contextual 
information to data in the table, as recited in amended independent Claim 56. 

Similar to the analysis of independent Claim 1, the Examiner's proposed combination of 
references fails to address the specifics of evaluating a context of a data signature by comparing 
the data signature to a table comprising contextual information, as recited in amended 
independent Claim 56. 

In light of the differences between Claim 56 and the Gleichauf, Vaidya, Conklin, Krumel, 
Zhang, Ji s Farrow, and Bemhard references mentioned above, one of ordinary skill in the art 
recognizes that the combination proposed by the Examiner cannot anticipate or render obvious 
the recitations as set forth in amended independent Claim 56. Accordingly, reconsideration and 
withdrawal of this rejection of Claim 56 are respectfully requested. 

Patent Claims 3 -4. $-13, 1fr24, 26-?fr 38-40, 42-49, 52-55, and 57 

The Applicant respectfully submits that the above-identified dependent claims are 

allowable because the independent claims from which they depend are patentable over the cited 

references. The Applicant also respectfully submits that the recitations of these dependent 

claims are of patentable significance. 

In view of the foregoing, the Applicant respectfully requests that the Examiner withdraw 

the pending rejections of dependent Claims 3-4, 6-13, 16-24, 26-36, 38-40, 42-49, 52-55, and 57. 
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CONCLUSION 

The foregoing is submitted as a full and complete response to the Final Office Action 
mailed on May 13, 2005. The Applicant and the undersigned thank Examiner Nalven for 
consideration of these remarks. The Applicant has amended the claims and has submitted 
remarks to traverse rejections of Claims 1-57. The Applicant respectfully submits that the 
present application is in condition for allowance. Such action is hereby courteously solicited. 

If the Examiner believes that there are any issues that can be resolved by a telephone 
conference, or that there are any formalities that can be corrected by an Examiner's amendment, 
please contact the undersigned in the Atlanta Metropolitan area (404) 572-2884. 

Respectfully submitted, 

StekeatT. Wigmore 
Re/ No. 40,447 



September 13, 2005 
King & Spalding LLP 
191 Peachtree Street, N.E, 
Atlanta, Georgia 30303-1763 
telephone: (404) 572.4600 
K&S File No. 05456-105035 
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